Add SSL to security/privacy play.

[greggersh]

There's a whole host of reasons why it makes sense for all government websites to default to SSL encryption. It ensures that all user interactions with the site are encrypted, giving citizens more confidence in your application. It ensures that your content will be visible to more users, as many corporate networks block unsecured sites for security reasons (fun fact: many government websites are inaccessible to the employees of the agency that operates those sites). And it's now viewed as an important criteria for inclusion and ranking in major search engines like Google. I'm sure there are additional reasons as well, but the bottom line is that defaulting to SSL encryption might be the best thing one can do to enhance and protect users and their privacy.

I tried to make the language succinct and clear, but more than happy if someone can say it better, if this is of interest.

[garethr]

I'd suggest dropping the 'default' here, it suggests an alternative when I don't think one is intended. Note that we made a similar stipulation in the UK government.

[konklone]

👍 to @garethr's proposed tweak. Also, the better watchword is TLS, especially since SSLv3 was recently (finally) axed. And I'd remove the "user" aspect, in case it implies that backend communications need not be.

So my suggested bullet:

Encrypt all communications with your site using TLS.

And to back up this pull request generally: I'd love to see USDS and the White House broadly get behind a visible push for getting all .gov websites behind HTTPS. The US government owes it to its citizens to make their connections to its services, private, untampered-with, and secure. It doesn't matter whether the traffic is "sensitive" or not — taken collectively, all traffic is sensitive.

The grand vision here — though it's clearly some time off — should be to turn on Strict Transport Security for the entire .gov TLD. There will need to be many milestones along the way. Including some normative guidance from USDS on this front is a nice first step in that direction. Expect to see some work from 18F on this in the near future as well.

[jhfrench]

"And it's now viewed as an important criteria for inclusion and ranking in major search engines like Google."

@greggersh: Can you provide a reference for this assertion? I'd like to read up on that...

[greggersh]

@jhfrench http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html

[davidbody]

I came across the proposed HTTPS-Only Standard for federal domains right after I saw this pull request.

[konklone]

I came across the proposed HTTPS-Only Standard for federal domains right after I saw this pull request.

@davidbody It's since been finalized as White House Office of Management and Budget memorandum M-15-13.

[cew821]

I think it would be great to include this as an item in Play 11 now that it's been finalized. @konklone, can you review this proposed change and let us know if you think this captures it well? Or if not, suggest some amended language to be used for the item in the play?

[konklone]

I would suggest moving away from "SSL" as the shorthand, since it's become a fully deprecated protocol since this PR was filed. My suggestion:

Require a secure connection (HTTPS) to every part of your website.